openssh bugs - Jun 2025 - [Bug 3833] New: Setting User with a wildcard Host doesn't work correctly with ProxyJump

https://bugzilla.mindrot.org/show_bug.cgi?id=3833

            Bug ID: 3833
           Summary: Setting User with a wildcard Host doesn't work
                    correctly with ProxyJump
           Product: Portable OpenSSH
           Version: -current
          Hardware: All
                OS: Mac OS X
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: marc.a.sarrel at jpl.nasa.gov

I need to log in to HostB with account UserB.  The routing is set up so
that I must hop through Host A with account UserA. I'm using forwarding
SSH keys with the ssh-agent on my Mac.

I have a config file like this on my local Mac:

Host *
  User UserA
Host HostA
  ...
Host HostB
  User UserB
  ProxyJump HostA

And this config file on HostA:

Host *
  User UserA
Host HostB
  User UserB

This fails when I type "ssh HostB" on my Mac.  It prompts me for the
password for UserA on HostB.  If I type "ssh HostA" on my Mac, then
type "ssh HostB" on HostA, everything works as expected and I log in
without typing any passwords or pass phrases.

If I change the config file on my Mac to this:

Host *
  ...
Host HostA
  User UserA
Host HostB
  User UserB
  ProxyJump HostA

I can type "ssh HostB" on my Mac and everything works correctly again.

But, this is really inconvenient.  It means I have to have a bunch more
User lines in my config file than I should need.  I want the first
config file above to work properly with ProxyJump.  I should be able to
specify a global default user name this way, and then override it only
as needed, even if I'm using ProxyJump.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3833

--- Comment #1 from Marc Sarrel <marc.a.sarrel at jpl.nasa.gov> ---
The above presumes that I use UserA for almost all of the hosts in my
config file, and that only one or two machines are exceptions.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3833

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
The config file parsing is first-match for each config keyword.  You
want overrides at the top and defaults at the bottom, so something like

Host HostA
  ...
Host HostB
  User UserB
  ProxyJump HostA
Host *
  User UserA

(In reply to Marc Sarrel from comment #0)
[...]
> And this config file on HostA:
Because you're using ProxyJump, the configuration on HostA is not used
in this scenario.  The local client makes a request to HostA, then
makes a second request via HostA using a port forwarding request.  In
both cases the config on the local client (the Mac) is used.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3833

--- Comment #3 from Marc Sarrel <marc.a.sarrel at jpl.nasa.gov> ---
Thank you.  That works!  I still wish the order of lines in the file
doesn't matter, but I can make this work for me.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3833

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WORKSFORME
             Status|NEW                         |RESOLVED

--- Comment #4 from Darren Tucker <dtucker at dtucker.net> ---
It's always worked this way.  Quoting ssh_config(5):

  Unless noted otherwise, for each parameter, the  first  obtained 
value
  will  be  used.   The configuration files contain sections separated
by
  Host specifications, and that section is only applied  for  hosts 
that
  match one of the patterns given in the specification.  The matched
host
  name   is   usually  the  one  given  on  the  command  line  (see 
the
  CanonicalizeHostname option for exceptions).

  Since the first obtained value for each parameter is used,  more 
host-
  specific  declarations  should be given near the beginning of the
file,
  and general defaults at the end.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.